AI governance and shadow AI: are existing controls enough?

TL;DR: Shadow AI is spreading faster than most organisations can govern it, and IBM’s 2025 breach research says 63% lacked formal AI guidelines, leaving data, code, and workflows exposed outside intended boundaries. Existing IAM and device controls help, but they do not by themselves create AI governance discipline.

NHIMG editorial — based on content published by JumpCloud: AI governance, shadow AI, and the controls already in place

By the numbers:

• 63% of organizations lacked formal guidelines for managing AI, failing to prevent the use of shadow AI.

Questions worth separating out

Q: How should security teams govern shadow AI without blocking useful adoption?

A: Start by governing access, not by banning tools.

Q: Why do existing IAM controls only partially solve AI governance?

A: IAM decides who can reach a service, but AI governance also has to control what data is submitted and how the service may use it.

Q: What do organisations get wrong about shadow AI risk?

A: They focus on the novelty of AI tools and miss the older control failures underneath them.

Practitioner guidance

• Map all approved AI entry points Inventory which identities, applications, and managed devices are allowed to reach AI services that can process company data.
• Extend conditional access to AI services Apply access rules that consider user role, device posture, and data sensitivity before prompts or files can leave the environment.
• Treat shadow AI as a discovery problem Add endpoint telemetry, browser visibility, and identity logs to find where employees are already using AI tools.

What's in the full article

JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:

• Practical examples of how IAM controls can be applied to approved AI tools without building a new governance stack.
• Device-management tactics for spotting unmanaged endpoints that are already interacting with external AI services.
• The article's broader argument for using existing security controls as the base layer for AI governance.
• How the vendor frames autonomous agents in relation to ordinary AI adoption, which matters if you are separating human use from machine use.

👉 Read JumpCloud's analysis of AI governance, shadow AI, and IAM controls →

AI governance and shadow AI: are existing controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →